GrapheneOS It has separate verified boot with downgrade protection and update signature verification with downgrade protection. The OS is only responsible for uploading the firmware updates. It doesn't in any way defeat the purpose of it. Insider attack protection is provided by not accepting firmware updates even if they have a valid signature and higher version until the Owner user has successfully authenticated, that's all.
Thanks for explaining. Hopefully I have this right now?
- The secure element decides for itself whether an ostensible upgrade to its firmware is or is not acceptable, by checking that it's signed by Google and isn't a version downgrade.
- After a reboot, the secure element won't consider a firmware upgrades from the OS before it has been unlocked.
So the standard sequence is:
- The device downloads a new release, sets things up for Recovery to do the A/B swap, and then reboots into Recovery.
- Recovery does the same checks as it would for an OTA sideload, e.g., the new OS is signed with the correct key and isn't a version downgrade. If the new OS passes, Recovery does the slot swap, and boots the new OS.
- The new OS waits to be unlocked, then offers the secure element new firmware.
- The secure element validates the new firmware before installing it.
If that is right, then the insider attack protection that is provided is that Google could prepare a malicious OS update containing malicious secure-element firmware, both with good signatures and version numbers, and that OTA image could be loaded onto the device, but the new secure-element firmware wouldn't be accepted by the secure element without the unlock code.